(7) Roles Versus Groups - Prof. Ravi Sandhu
(7) Roles Versus Groups - Prof. Ravi Sandhu
(7) Roles Versus Groups - Prof. Ravi Sandhu
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
(7) <strong>Roles</strong> <strong>Versus</strong> <strong>Groups</strong><br />
<strong>Ravi</strong> <strong>Sandhu</strong><br />
George Mason University and SETA Corporation<br />
sandhu@isse.gmu.edu<br />
1.0 Discussion<br />
The question of what is different between roles and groups inevitably<br />
arises. Attendees at the workshop felt that if this workshop can settle this<br />
issue, that alone would represent major progress. Considerable time and<br />
energy was devoted at the workshop to discussion on this topic. The<br />
outcome of this discussion is summarized here.<br />
Chris Sundt suggested a pragmatic approach which steered the discussion<br />
in a productive direction. He argued that groups are an established<br />
concept in operating systems with a generally well-understood meaning<br />
much like other operating system concepts such as directories. Although<br />
groups can be extended to provide the same features as roles, it is better to<br />
coin a new term to avoid confusion with the existing concept of a group.<br />
Moreover, groups are a useful concept without being extended to roles.<br />
What is needed therefore is a consensus definition of groups with respect<br />
to which a definition of roles can be developed and compared.<br />
There was consensus that a group is a named collection of users and<br />
possibly other groups. A group is usually non-empty, and will typically<br />
have at least two members. A users can be directly made a member of a<br />
group or indirectly by means of including one group in another. Users are<br />
brought together in a group for some access control purpose. <strong>Groups</strong><br />
serve as a convenient shorthand notation for collections of users and that is<br />
the main motivation for introducing them.<br />
In the subsequent discussion two definitions were proposed for a role, as<br />
follows.<br />
<br />
A role is a named collection of users and permissions, and possibly<br />
other roles.<br />
Copyright 1996 Association for Computing<br />
Machinery. Permission to make digital/hard<br />
copy of all or part of this work for personal or<br />
classroom use is granted without fee provided<br />
that copies are not made or distributed<br />
for profit or commercial advantage; the<br />
copyright notice, the title of the publication,<br />
and its date appear; and notice is given that<br />
copying is by permission of ACM, Inc. To<br />
copy otherwise, to republish, to post on<br />
servers, or to redistribute to lists requires<br />
prior specific permission and/or a fee.<br />
ACM RBAC Workshop, MD, USA<br />
© 1996 ACM 0-89791-759-6/95/0011 $3.50<br />
<br />
A role is a named collection of permissions, and possibly other roles.<br />
Another definition of role as a named collection of responsibilities, and<br />
possibly other roles was also proposed. It was decided that this definition<br />
was an enterprise-level definition of a role going beyond access control<br />
aspects. It was not pursued further in the workshop.<br />
It was agreed that the motivation for roles is convenience in administration<br />
and convenience in articulating policy. Also that the name of a role has<br />
significance and indicates the purpose of the role. It was recognized that<br />
the enterprise-level motivation for roles stems from organizational theory<br />
and predates the use of computers. The workshop consistently took an<br />
access control viewpoint so it was felt that administrative convenience was<br />
the crucial motivation for roles for our purpose.<br />
I-25
At this point there was spirited discussion on the two definitions of roles<br />
given above. It was evident that both definitions are present in the<br />
literature. Definition 1 has the implication that for a given role it should<br />
be easy to enumerate the collection of users and the collection of<br />
permissions brought together by the role. Definition 2 has the lesser<br />
implication that the permissions comprising a role be easy to enumerate.<br />
In contrast the definition of a group has the connotation that the users<br />
comprising the group be easy to enumerate.<br />
Definition 2 focuses on the behavior embodied in a role. Permissions<br />
enable activity in the system. In terms of abstract operations, a physician<br />
role may have the permission to write prescription. Similarly, a manager<br />
role have may permissions to hire and fire employees. A role could be<br />
viewed as a collection of users (in which case there is no difference<br />
between a role and a group). In this view, the emphasis is on the people<br />
who occupy a position in an organization. The manager roles consists of<br />
all users appointed to the manager position.<br />
In general, definition 1 emphasizes roles as a collection of users and<br />
permissions while definition 2 emphasizes roles as collections of<br />
permissions. The workshop attendees could not decide which of<br />
definition 1 or 2 is the “correct” definition. Perhaps the term role can be<br />
used in both ways, but we just need to make clear how it is being used in a<br />
given context. Or perhaps we need to agree as a community to use two<br />
different terms for these two different concepts of a role. In either case a<br />
role is different from a group.<br />
I-26